[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Sync Replication via TLS/SSL - get bind err

On Friday 21 December 2007 00:31:12 RUMI Szabolcs wrote:
> Hello!
> On Thu, 20 Dec 2007 12:08:16 -0800
> Quanah Gibson-Mount <quanah@zimbra.com> wrote:
> > > IMHO it is extremely harsh how the self-signed certs are treated by
> > > OpenLDAP. In the majority of cases this is forcing people (after
> > > many hours of struggling) to use "TLS_REQCERT never" or similar
> > > settings, which ends up being a lot more insecure than it would be
> > > to accept a known self-signed cert... Not to mention that the
> > > syncrepl suboption "tls_reqcert=never" is apparently ignored so
> > > practically I've found that syncrepl is currently inoperable with
> > > any form of encryption. Is there anybody who could tell me what
> > > this is good for?
> >
> > Interestingly, plenty of people have gotten this to work.  First, you
> > need to know how to create self-signed certs using a CA.  Of course,
> > that's really off-topic for the OpenLDAP list, even though it has
> > been discussed many times.  But until you know how to get that
> > working, you won't be able to get the syncrepl client to work, either.
> I'm using certificates I've generated since many years with a lot of
> software having SSL support like Apache, Cyrus IMAP, Postfix, OpenVPN,
> etc. and all of these are working seamlessly, with the exception of
> OpenLDAP.

But, why do you configure openvpn to use a certificate as CA certificate, but 
not your OpenLDAP clients ? Or, do you throw away half the value of SSL by 
disabling certificate validation on *all* of these services????

> It's not only me who's struggling, just Google around if 
> you don't believe me... Even the Gentoo Linux ebuild for OpenLDAP
> suggests that I have to use "TLS_REQCERT never" with self-signed
> certificates or else TLS won't work. And they're right.

IMHO, the Gentoo documentation for LDAP isn't necessarily the greatest. 
Neither are most out-of-date HOWTOs (as there is no "WHY NOT TO", or "WHY TO" 
part to them).

> To a proper self-signed certificate OpenLDAP simply says "self-signed
> certificate in certificate chain" or something like that and TLS/SSL
> handshake fails with an error.

For a client connection (such as syncrepl), add TLS_CACERT pointing to the 
certificate in your ldap.conf. In general (I haven't looked at 
the "TLS_REQCERT never" case), if ldapsearch works with the -ZZ flags, then 
syncrepl will work.